Abstract

A garbling scheme is used to garble a circuit C and an input x in a way that reveals the output C(x) but hides everything else. Yao’s construction from the 80’s is known to achieve selective security, where the adversary chooses the circuit C and the input x in one shot. It has remained as an open problem whether the construction also achieves adaptive security, where the adversary can choose the input x after seeing the garbled version of the circuit C.

A recent work of Hemenway et al. (CRYPTO’16) modifies Yao’s construction and shows that the resulting scheme is adaptively secure. This is done by encrypting the garbled circuit from Yao’s construction with a special type of “somewhere equivocal encryption” and giving the key together with the garbled input. The efficiency of the scheme and the security loss of the reduction is captured by a certain pebbling game over the circuit.

In this work we prove that Yao’s construction itself is already adaptively secure, where the security loss can be captured by the same pebbling game. For example, we show that for circuits of depth d, the security loss of our reduction is \(2^{O(d)}\), meaning that Yao’s construction is adaptively secure for NC1 circuits without requiring complexity leveraging. Our technique is inspired by the “nested hybrids” of Fuchsbauer et al. (Asiacrypt’14, CRYPTO’15) and relies on a careful sequence of hybrids where each hybrid involves some limited guessing about the adversary’s adaptive choices. Although it doesn’t match the parameters achieved by Hemenway et al. in their full generality, the main advantage of our work is to prove the security of Yao’s construction as is, without any additional encryption layer.

Research supported by NSF grants CNS-1347350, CNS-1314722, CNS-1413964. This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.

In our construction of the garbling scheme, we use a symmetric-key encryption scheme \({\varGamma }=(\mathsf {KeyGen}, \mathsf {Enc},\mathsf {Dec})\) which satisfies the standard definition of CPA security and an additional special correctness property below (this is a simplified and sufficient variant of the property described in from [LP09]). We need this property to ensure the correctness of our garbled circuit construction.

Definition 5 (Special Correctness)

A CPA-secure symmetric-key encryption \({\varGamma }=(\mathsf {KeyGen}, \mathsf {Enc},\mathsf {Dec})\) satisfies special correctness if there is some negligible function \(\varepsilon \) such that for any message m we have:

It’s easy to see that this scheme is CPA secure and that it satisfies the special correctness property.

Double Encryption Encryption Security. For convenience, we define a notion of double encryption security, following [LP09]. This notion is implied by standard CPA security but is more convenient to use in our security proof of garbled circuit security.

The adversary \(\mathcal {A}\) on input \(1^{\lambda }\) outputs two keys \(k_a\) and \(k_b\) of length \(\lambda \) and two triples of messages \((x_0, y_0, z_0)\) and \((x_1, y_1, z_1)\) where all messages are of the same length.

\(\mathsf {RecRemoveBlack}(C,i)\): This is the same as \(\mathsf {RecPutBlack}\), except that instead of putting a black pebble on gate i, in steps 1 and 3, we remove it.

To analyze the correctness of this strategy, we note the following invariants: if the circuit C is in a configuration where it does not contain any pebbles at any level below that of gate i, then (1) the procedure \(\mathsf {RecPutBlack}(C,i)\) results in a configuration where a single black pebble is added to gate i, but nothing else changes, (2) the procedure \(\mathsf {RecRemoveBlack}(C,i)\) results in a configuration where a single black pebble is removed from gate i, but nothing else changes. Using these two invariants the correctness of of the entire strategy follows.

To calculate the number of black pebbles used and the number of moves that the above strategy takes to pebble C, we use the following simple recursive equations. Let \(\mathsf {\#PebPut}(d)\) and \(\mathsf {\#PebRem}(d)\) be the number of black pebbles on gate i and below it used to execute \(\mathsf {RecPutBlack}\) and \(\mathsf {RecRemoveBlack}\) on a gate at level d, respectively. We have,

Therefore the strategy requires at most 2d black pebbles to pebble the circuit.

To calculate the number of moves it takes run \(\mathsf {Pebble}(C)\), we use the following recursive equations. Let \(\mathsf {\#Moves}(d)\) be the number of moves it takes to put a black pebble on, or remove a black pebble from, a gate at level d. Then

Hence, each call of \(\mathsf {RecPutBlack}\) takes at most \(4^{d}\) moves, and the total number of moves to pebble the circuit is at most \(q 4^{d}\). In summary, the above gives us a strategy to pebble any circuit with at most \(\gamma = q 4^d\) moves and \(t = 2d\) black pebbles.